bumblebee | 7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

req.ps1
Size

2.2MB
MD5

19bdf3110168f2ac48c599fac9e03e23
SHA1

c8ab417929970ae032cf6fede8743f829847d75f
SHA256

7d5337ef04ddabac61a5f3dae4a9fdf17c6d0b64f1a1b5ae0b07b6bbc0bcbd9e
SHA512

dbfd9d9c4a9c94024cf53a30c5041c1973e845100c214a04930d38cc895f6e81dda096a695140cb23a888f648334ba4d26a9abd5346c966b3df25c5828956be0
SSDEEP

24576:itC5Ja7ybVCbyfQCQfXk/SGv8raPHRJ4LtbgnuSW0v7wmlQccDjT96KjIM:iZQQCgcSM433DDwO

Score

10^/10

bumblebee 212cc trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

212cc

104.168.157.253:443

185.173.34.35:443

103.175.16.104:443

86.106.131.105:443

23.82.140.155:443

173.234.155.246:443

195.20.17.75:443

192.111.146.178:443

23.254.167.63:443

51.75.62.204:443

103.175.16.13:443

146.19.173.86:443

160.20.147.242:443

51.68.144.43:443

205.185.113.34:443

157.254.194.117:443

194.135.33.184:443

91.206.178.234:443

172.86.120.111:443

185.17.40.138:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
1	4076	powershell.exe
4	4076	powershell.exe
16	4076	powershell.exe
18	4076	powershell.exe
20	4076	powershell.exe
22	4076	powershell.exe
23	4076	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4076	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
4076	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1720	4076	powershell.exe	81
PID 4076 wrote to memory of 1720	4076	powershell.exe	81
PID 1720 wrote to memory of 676	1720	csc.exe	82
PID 1720 wrote to memory of 676	1720	csc.exe	82
PID 4076 wrote to memory of 1912	4076	powershell.exe	83
PID 4076 wrote to memory of 1912	4076	powershell.exe	83
PID 1912 wrote to memory of 992	1912	csc.exe	84
PID 1912 wrote to memory of 992	1912	csc.exe	84

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\req.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zifmcyfa\zifmcyfa.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6892.tmp" "c:\Users\Admin\AppData\Local\Temp\zifmcyfa\CSCB8CFE435C8F54081BFE58CF9ED783E1.TMP"
    3⤵
    PID:676
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhlyldfz\lhlyldfz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7544.tmp" "c:\Users\Admin\AppData\Local\Temp\lhlyldfz\CSC2257C95748734CABAFF1E93C35943E2.TMP"
    3⤵
    PID:992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6892.tmp

Filesize
1KB

MD5
af375c267082539a8cb42ceb46dec120

SHA1
332de081f49f7880340eaec6be6afe83d58aff51

SHA256
c63b58e8ef133a083f51010eb66d6bddef53c8e9948c63234a7afa5b16b7ed79

SHA512
7f3bd3e95feef939d15d0abac837731c4154c7ed296127ae09682e0924db2ddd078fd86ae90bac65964f5fa86de8218a895422e3bc3e2b4114fe1e980bb6ea78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7544.tmp

Filesize
1KB

MD5
20ef9f2acefab98ae40f3dbe7e301e01

SHA1
5c5627181bfa7706a1a434eb0ed3be88e79f5cd1

SHA256
f8686662543753ee8c5e7817d160070fa721f797e87067dd461f7790da756711

SHA512
513d680d31806d82bd26c9b1af0986d16d0d2582246ba2308bd1c89a11c6a13087ba27fdd6312665c93f6ba255384577f9be055880650de715af0f74fe7f942d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pideohky.0wc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhlyldfz\lhlyldfz.dll

Filesize
3KB

MD5
94530c1ae886d4e9d2b6f9f9b83c2eb1

SHA1
bb23caadad7581510885f55c64b35d12e2c4c717

SHA256
8dd24eb5a57158e317dc54c6504d7fca78ff2fe440fb3a37770f5bf39ebfe11d

SHA512
85cb63060c1e2d2d443bf82f7f763b59dc3651a61f1a48c852ee3c8c81c1bacdb2bd43741d4d24bc81e5a9e636aa0daf6cba55d0f725c8230cfe1632a1438c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zifmcyfa\zifmcyfa.dll

Filesize
3KB

MD5
f4cb23983cc6e0e4a6b17b179c3ee16d

SHA1
ad42219765d96b6200342417969c45492e26b5de

SHA256
76aae692be2e7df99bc75054f482bd91ecdb2cf1c39c6c5685937148b25653fc

SHA512
994ff0445a27ed12d8aa50506e089bc05044a1943c3fa0bd89031cc27bbc63335f6f362083791b89f7f8bc5a1b35d8d02d3bf36e108086d0763ece985e985f99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhlyldfz\CSC2257C95748734CABAFF1E93C35943E2.TMP

Filesize
652B

MD5
d03aab982eba83ab90606e1908c64a53

SHA1
9dc7873789cd6596d8a845e91809fb7b7d20ff9f

SHA256
0ef39f5b7f9042f16281a38fac41996a6c62f7a9e5bea638e665d9025dd3d4c9

SHA512
d15b505fcae431ca9dd6514cbd294101a5107279a52d836a6ad28a66cb2f0e7027fd5d1debcf1f9d24e5872514b78db077b97602c267db436f6319490eca8311

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhlyldfz\lhlyldfz.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lhlyldfz\lhlyldfz.cmdline

Filesize
369B

MD5
85803825085d9d7486f110ccde12cfed

SHA1
9bec90404f64433d1036e9034481b35f70254f52

SHA256
be1057557a32c4b3c809969ae1232c0430c9f52d0838ec63c4d5c936246dcfe6

SHA512
3fbf4682facfd64a414e90aa4542def0149fd9130264740fe79160e34f4f65e547c02e506fa672230be0d276009b18894bbac4e8a7d160f74e5fe8da5e0ddadb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zifmcyfa\CSCB8CFE435C8F54081BFE58CF9ED783E1.TMP

Filesize
652B

MD5
dfb5dfb14eddfd1ed857d3cd6994bce1

SHA1
be67f666b40b8f29e86d9d243ab1cb1328d238f1

SHA256
675b4a8d1f559217f28d558d982655a39280218c883e0dcc441c1997ce5f9c7e

SHA512
c65a0d4c9ded57a3f943cc71362f01ecb8347d516c09cd7df23eeee0665f6ba71ceaa8d0c54f370d6fd69224ec8f15ce9c6e034b86938fad1e6883d3dccc3d3d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zifmcyfa\zifmcyfa.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zifmcyfa\zifmcyfa.cmdline

Filesize
369B

MD5
e5620e00247544f82f89065c26bddafd

SHA1
d976144f4b873325d653c8434f423868aa0e55f5

SHA256
4d5389d2c44b3284026056b551dcf2d4c10caa0904dcffa9b38dd5a5d49386b8

SHA512
7431a0a92476ac787a94b5664103ee4d263a3fbf748921cc1d0139d3aabb1aa348453f3de69f1df2a3e2a1470fb993a4597b8a676c38230775fe90363f76da7b

Download Submit
memory/4076-178-0x00000254F27B0000-0x00000254F2924000-memory.dmp

Filesize
1.5MB

Download
memory/4076-145-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download
memory/4076-144-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download
memory/4076-143-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download
memory/4076-172-0x00000254F2630000-0x00000254F27A4000-memory.dmp

Filesize
1.5MB

Download
memory/4076-142-0x00000254F2180000-0x00000254F21A2000-memory.dmp

Filesize
136KB

Download
memory/4076-179-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download
memory/4076-180-0x00007FFD51F70000-0x00007FFD51F71000-memory.dmp

Filesize
4KB

Download
memory/4076-181-0x00000254F27B0000-0x00000254F2924000-memory.dmp

Filesize
1.5MB

Download
memory/4076-182-0x00000254F27B0000-0x00000254F2924000-memory.dmp

Filesize
1.5MB

Download
memory/4076-186-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download
memory/4076-187-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download
memory/4076-188-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download
memory/4076-189-0x00000254EEF50000-0x00000254EEF60000-memory.dmp

Filesize
64KB

Download